Simscan ClamAV Chkuser Installation Guide

Introduction

This is a quick guide to install Simscan, ClamAV and Chkuser setting up an antivirus/antispam[1] solution to your Qmail server.

By following this guide you’ll end up with a running installation of these products. The goal here is to not miss any detail needed to set them up. If you see that something is missing, contact me or add it by yourself.

It’s assumed you already know how to manage a Qmail server, and you know how to compile products from the source. By following this installation process we’re going to apply 2 patches over netqmail, so you have to understand what you’re doing.

This installation was tested only in a RedHat 9.0 but it should work for other systems too.

What are Simscan, ClamAV and Chkuser?

We use these three packages to implement an antivirus/antispam[1]solution to our Qmail/Vpopmail mail server.

[1] Currently the antispam capabilities of the presented installation are limited to those added by the Chkuser package. For a more complete antispam solution we should add Spamassassin to this installation. Simscan was written with Spamassassin in mind, but we’re still not using it here. A future version of this guide will include the Spamassassin integration with Simscan. More info about it, look up in http://www.qmailwiki.org/Simscan/Guide.

Simscan is a simple program that enables qmail-smtpd to reject viruses, spam, and block attachments during the SMTP conversation so the email never makes it into your computers. It is completely open source and uses other open source components. Very efficient and written in C.

Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date.

Chkuser is a patch to qmail-smtpd executable adding to it a lot of new features, specially, the capability of refusing to receive messages for e-mail accounts that doesn’t exist. The original qmail-smtpd accepts by default all messages, checking later for the existence of recipients. So, if the message is delivered to not existing recipients, a lot of additional system work and network traffic are generated, with multiple expensive bouncing if the sender is a fake one. Chkuser also enables qmail-smtpd to respond to settings passed by a bunch of new environment variables, like CHKUSER_RCPTLIMIT and CHKUSER_WRONGRCPTLIMIT.

In summary, when a new SMTP connection begins, qmail-smtpd will first execute the Chkuser tests to know if it will accept or reject the message, if it accepts, qmail-smtpd will trigger Simscan that will trigger ClamAV for virus scanning, and after it, if the message was considered clean, Simscan triggers qmail-queue to deliver the message to its destination, otherwise it blocks the message by returning an error code to qmail-smtpd.

Prerequisites

This guide assumes that you already have a mail server running with these three products:

netqmail-1.05: http://www.qmail.org. Note: If you’re using the standard qmail-1.03 package, it should suffice, but you need to patch it with QMAILQUEUE patch to enable Simscan to scan the mail messages.

Downloading the packages

This is the list of the packages necessary to make Simscan, ClamAV and Chkuser work. For each package listed, go to its website and download the latest stable version of it. There are required and recommended packages. You can choose not to install the recommended packages, but you will lose the features they add.

NOTE: We’re listing here the packages names in the versions that were used in our installation, but you should use the most recent versions.

TIP: Download all the packages to a directory called /root/packages/simscan so you can better follow the commands we’re going to use later.

ClamAV required packages

ClamAV-0.85.1.tar.gz:This is the package with the antivirus. Download its latest version from http://www.ClamAV.net/.

zlib and zlib-devel packages: They provide the ability of working with .zip files. These already come installed in Redhat 9.0, so we won’t cover their installations.

gcc compiler suite: (both 2.9x and 3.x are supported) this already come installed in Redhat 9.0, so we won’t cover its installation.

ClamAV recommended packages

gmp-4.1.4.tar.gz: It's very important to install the GMP package because it allows freshclam (a ClamAV component) to verify the digital signatures of the virus databases. Download its latest version from http://www.swox.com/gmp/.

curl-7.13.2.tar.gz: ClamAV uses curl version >= 7.10.0 to follow the links inside a mail message and check if they are pointing to viruses. We’re not currently enabling this feature here, but we want to be able to use it eventually. Download the latest version from http://curl.haxx.se/.

bzip2 and bzip2-devel library: To install them in your Redhat, run ‘up2date bzip2 bzip2-devel’ and you’re done.

Simscan recommended packages

qmail-queue-custom-error.patch: Enables Simscan to return the appropriate message for each e-mail it refuses to deliver. It is bundled with Simscan source, in the ~/contrib directory, so you don’t have to download it from elsewhere.

ClamAV: ClamAV is required for the antivirus function of Simscan. You should have already downloaded ClamAV at this point.

Chkuser believes the default home directory for the vpopmail user is /home/vpopmail, which is not true for most of vpopmail installations. Here vpopmail is installed under /var/vpopmail, so let’s edit the files Makefile and conf-cc to fix the path to vpopmail home directory.

Edit Makefile:

vi Makefile

Substitute the line with the wrong path by this one bellow:

VPOPMAIL_HOME=/var/vpopmail

Edit conf-cc

vi conf-cc

Substitute the line with the wrong path by this one bellow:

cc -O2 -I/var/vpopmail/include

Setting qmail-smtpd to run under vpopmail UID and GID

To verify the existence of the email accounts, qmail-smtpd will need to read vpopmail files and directories. The standard qmail installation sets qmail-smtpd to run under ‘qmaild’ UID and GID, we need to change it to vpopmail user UID and GID.

Bellow is an example of a /service/qmail-smtpd/run script to run qmail-smtpd as Vpopmail UID and GID:

As you can see, the patch to qmail.h was successful, but the patch for qmail.c was unsuccessful. This is because this patch is not prepared to be installed after the QMAILQUEUE patch that comes installed with netqmail.

To solve this or you edit qmail.c and add manually the rejected hunk saved in qmail.c.rej, or you can use the qmail.c file bellow that was previously edited by Darrel (don’t know his lastname) and posted in the simscan’s mailling in http://article.gmane.org/gmane.mail.qmail.simscan/1395. The thread subject was ‘qmail-queue patch isn't compatible withqmail-queue-custom-error.patch’.

In enforces you to read the /etc/clamd.conf and edit it. So edit it and do the following modifications:

# Comment or remove the line below.
#Example

Change the path to the logfile to /var/log:

LogFile /var/log/clamd.log

Add clamd to the local initialization script, /etc/rc.d/rc.local:

echo '/usr/local/sbin/clamd' >> /etc/rc.d/rc.local

Start it manually now

clamd

Activating the virus definitions update

To activate the automatic download of the virus definitions database, you have to schedule a utility called /usr/local/bin/freshclam in your crontab.

Before you try to run freshclam, edit its configuration file /etc/freshclam.conf and comment the line “Example” just like you did in /etc/clamd.conf. Or freshclam won’t execute and will print an error message.

After editing this file, add the freshclam command line to an hourly execution in your crontab:

Open the root crontab:

crontab -e

Add the line bellow

N * * * * /usr/local/bin/freshclam –quiet

Where “N” is a number between 0 and 59 defining a minute to start the job execution. The ClamAV website asks for people not to use the multiple of 10 time slots because a lot of freshclam clients are connecting at those time slots.

You can execute freshclam by hand right now and see it updating the virus database:

Creating Simscan control files

Since we compiled Simscan with the --enable-per-domain option, simscan will be able to do “per domain scanning”. Per domain scanning allows the administrator to explicitly state what scanning occurs for what domain. In addition, attachment scanning can be enabled or disabled for each domain.

Simscan will read its scanning rules from /var/qmail/control/simcontrol.cdb. This .cdb file is generated by running /var/qmail/bin/simscanmk. This command will create that .cdb file based in a text file called /var/qmail/control/simcontrol, this is the file where we’ll define the per domain scanning rules.

Edit /var/qmail/control/simcontrol:

vi /var/qmail/control/simcontrol

Add the following rule to disable the spam scanner, enable clam and attach scanners, setting the attach scanner to unconditionally block every e-mail containing .pif, .bat, .com and .exe attachments:

:clam=yes,spam=no,attach=.scr:.bat:.com:.pif:.exe

NOTE: The syntax above is for a ‘default rule’, a rule valid for all domains in the machine. Observe that there is no domain name before the initial colon “:” sign. To add a rule valid only for a specific domain, put the domain name before the colon, Example.: somedomain.com:clam=yes,attach=no. Read the README file from simscan source for additional help with the syntax.

Generate ~/simcontrol.cdb file:

/var/qmail/bin/simscanmk

There is another .cdb file simscan reads, /var/qmail/control/simversions.cdb, from where it gets the “scanner versions” information. This information is used by simscan to add a “Received: by simscan...” header to each scanned message containing the appropriate version of each of its scanners. The added header will look like this one bellow:

To create the /var/qmail/control/simversions.cdb file simply run simscanmk with the ‘-g’ option:

/var/qmail/bin/simscanmk -g

This command will discover the proper scanner versions and add them to the .cdb file. Remember to rerun this command every time you update one of the scanners, say after you update clamav to a newer version.

Testing Simscan

Before definitely activating simscan, test if from the command line, enabling the DEBUG messages.